Skip to content

passwolf reset: reset a password

passwolf reset overwrites an account's password as a privileged caller. Unlike a change, a reset proves nothing about the old secret: the directory does not verify the previous password, so a reset succeeds even when the old one is unknown, lost, or expired. Because the server treats the operation as an administrative overwrite rather than a self-service change, it also bypasses the minimum password age and the password history check. The trade-off is authority: every reset requires a caller that already holds reset rights on the target. The caller is named with the required --auth-as-user; its credential is supplied with --auth-as-password or, for a pass-the-hash bind, --auth-as-hash, and when you give neither you are prompted for the caller's password at the terminal with no echo.

Reset versus change

Use passwolf reset when you hold reset rights and want to overwrite the secret outright. Use passwolf change when you know the current password and want to rotate it as the account owner. See choosing a method for the decision in full.

Synopsis

passwolf reset --target-domain DOMAIN --target-user USER [--dc DC] --auth-as-user USER [--auth-as-password PASS] (--target-new-password NEWPASS | --target-new-hash [LM:]NT) [options]

--target-user is required and names the account to reset. --auth-as-user is required and names the privileged caller performing the reset. --target-domain is required and gives the DNS domain of the target account. --dc is optional and defaults to the --target-domain value when omitted. The new secret is given with either --target-new-password for the cleartext resets or --target-new-hash for the set-hash reset; give exactly one, or give neither and you are prompted for the new password at the terminal with no echo. Prompting this way keeps the secret off the command line and out of the process list.

What a reset bypasses

A reset is an overwrite, not a self-service rotation, so the server does not apply the controls it enforces on a change:

  • Minimum password age is not consulted, so you can reset an account that was changed moments ago.
  • Password history is not consulted, so the new secret may equal a recent one.
  • The set-hash reset additionally bypasses complexity and length policy, because the server stores the supplied one-way function directly without ever seeing cleartext to validate.

The cleartext resets (samr-aes, samr-rc4, samr-rc4-unsalted, and the advanced AES/RC4 info classes) still pass through complexity and length policy, because the DC receives the new password in cleartext inside an encrypted buffer and validates it. Only the set-hash reset skips that validation.

Options

Every option passwolf reset exposes, grouped as in --help.

Target

Option Required Meaning
--target-user USER Required The account to reset.
--target-domain DNS Required The DNS domain of the target account.
--dc DC Optional The DC to reach. Defaults to the --target-domain value.

New secret (required: give one, prompted if you give neither)

Option Required Meaning
--target-new-password PASS Required: give one (prompted if you give neither) The new cleartext password, for the cleartext methods. Omit both this and --target-new-hash and you are prompted for the new password with no echo.
--target-new-hash [LM:]NT Required: give one (prompted if you give neither) The new NT hash for the set-hash reset. A bare NT sets the NT half only; LM:NT sets both halves.

Privileged caller

--auth-as-user is required. The remaining caller options are optional: if you give neither --auth-as-password nor --auth-as-hash, you are prompted for the caller's password at the terminal with no echo, which keeps it off the command line and out of the process list.

Option Required Meaning
--auth-as-user USER Required The caller account that holds reset rights on the target.
--auth-as-password PASS Optional The caller's password. Omit both this and --auth-as-hash and you are prompted for the password with no echo.
--auth-as-hash [LM:]NT Optional The caller's NT hash, for a pass-the-hash bind instead of a password.
--auth-as-domain DNS Optional The caller's domain, when it differs from the target domain. Defaults to the --target-domain value.
-k, --kerberos Optional Bind the privileged --auth-as-user caller with Kerberos instead of NTLM. Uses the TGT in KRB5CCNAME when that points to a usable ticket cache, otherwise requests one from the --dc KDC.

With -k the bind of the privileged caller authenticates over Kerberos rather than NTLM. When the KRB5CCNAME environment variable points to a usable ticket cache, the TGT in it is used and the run needs no password at all, so -k suppresses the caller-password prompt. Otherwise a TGT is requested from the KDC, which is the --dc host, using --auth-as-password or --auth-as-hash; you may still pass either with -k to fetch a fresh ticket. -k governs only how the caller binds. It does not touch the value being set: --target-new-password/--target-new-hash are unaffected and behave exactly as before.

Method selection

Option Required Meaning
--method METHOD Optional The reset method, or auto (default). See the method list below.
--transport {smb,tcp} Optional Transport for the SAMR resets (default smb).
--ldaps Optional Use LDAPS on 636 for the ldap method instead of sealed LDAP on 389.

Expiry

Option Required Meaning
--expire Optional Force a change at next logon (default).
--no-expire Optional Leave the password as not expired.

--expire and --no-expire are mutually exclusive. The flag is honored by the AES, RC4, and set-hash resets.

DSRM reset (DC-local recovery account)

Option Required Meaning
--dsrm Optional Reset the DC-local Directory Services Restore Mode password via SamrSetDSRMPassword (opnum 66). SMB transport only, and the --target-user value is ignored.

Output formatting

Option Required Meaning
--format {text,json,pretty} Optional Output format. The default is pretty.
-v, --verbose Optional Enable debug logging.

Reset methods

--method accepts one of: auto, samr-aes, samr-rc4, samr-rc4-unsalted, samr-hash, kpasswd, ldap. The DSRM reset is selected by the separate --dsrm flag, not by --method. The AES all-information form (UserInternal8) is reachable through the advanced flags below (--reset-info-class internal8) rather than as a standard --method.

Method New secret What it does
auto (default) --target-new-password or --target-new-hash Tries every method in turn (kpasswd, ldaps, ldap, samr-aes, samr-rc4, samr-rc4-unsalted, samr-hash) and takes the first that succeeds. If only --target-new-hash is supplied, AUTO skips the cleartext methods and goes straight to the set-hash reset.
samr-aes --target-new-password AES cleartext reset carrying the password only, via SamrSetInformationUser2 with UserInternal7 (the smallest AES form).
samr-rc4 --target-new-password RC4 + MD5-salt cleartext reset, via SamrSetInformationUser2 with UserInternal4InformationNew.
samr-rc4-unsalted --target-new-password Legacy unsalted RC4 cleartext reset, via SamrSetInformationUser2 with UserInternal4Information.
samr-hash --target-new-hash Set-hash reset: writes the NT (and optionally LM) one-way function directly, via SamrSetInformationUser with UserInternal1. Full policy bypass.
kpasswd --target-new-password Kerberos set protocol (administrative set, distinct from the self-service change).
ldap --target-new-password LDAP unicodePwd single replace. Use --ldaps to run it over 636.

For samr-hash, the info class (UserInternal1, level 18) is what makes the operation a hash-set, not the opnum: opnum 37 (SamrSetInformationUser) and opnum 58 (SamrSetInformationUser2) are interchangeable ([MS-SAMR] 3.1.5.6.5: opnum 37 "MUST behave as with a call to SamrSetInformationUser2"), so the same write also goes out over SamrSetInformationUser2. UserInternal1 is one of two remotely-usable raw-OWF paths; UserAllInformation (level 21) can also carry the NT/LM OWF fields, and both were live-confirmed to set the NT hash on Server 2022 and 2025. samr-hash uses opnum 37 to mirror the native Windows client, which sends every classic level over 37 and reserves opnum 58 for the newer salted/AES levels.

Advanced SAMR selection

Two advanced flags expose the exact wire form, overriding --method. They let you send any of the eight settable password-bearing USER_INFORMATION_CLASS values over either opnum (37 or 58), sixteen combinations in all. This is for testing and for servers that accept only a particular shape; the standard --method shortcuts above cover normal use.

Flag Values Meaning
--reset-info-class CLASS internal1, userall, internal4, internal5, internal4new, internal5new, internal7, internal8 Send the reset using this exact info class, overriding --method. The hash classes (internal1, userall) take --target-new-hash, or a cleartext --target-new-password that is hashed locally into its NT OWF; the rest need --target-new-password.
--reset-opnum {37,58} 37 or 58 (default 58) Which opnum carries the reset: SamrSetInformationUser (37) or SamrSetInformationUser2 (58). Only meaningful with --reset-info-class. Older DCs may reject the newer (*new, internal7, internal8) classes on opnum 37.

The eight classes and what each carries:

--reset-info-class Level Cipher Secret Notes
internal1 18 DES (session key) NT/LM hash The dedicated set-hash structure (what samr-hash sends).
userall 21 DES (session key) NT/LM hash Same hash set carried in the all-information block.
internal4 23 RC4 unsalted (session key) password What samr-rc4-unsalted sends.
internal5 24 RC4 unsalted (session key) password Password-only structure; the server maps it onto internal4.
internal4new 25 RC4 + MD5 salt (session key) password What samr-rc4 sends.
internal5new 26 RC4 + MD5 salt (session key) password Password-only structure; the server maps it onto internal4new.
internal7 31 AES (session key) password What samr-aes sends; the server maps it onto internal8.
internal8 32 AES (session key) password AES carried in the all-information block.

Several classes are server-mapped (internal5internal4, internal5newinternal4new, internal7internal8, internal1 into the all-information block), so they produce an identical stored result to their target, only the wire shape differs. See the SAMR RPC reference for the full structure-by-structure breakdown.

AUTO order

For a cleartext reset, AUTO walks the method list in order (kpasswd, then ldaps (636), then ldap (389), then the SAMR ladder of samr-aes, samr-rc4, samr-rc4-unsalted, samr-hash) and takes the first that succeeds. A SamrConnect5 preflight skips the AES rung when the DC does not advertise the AES password buffer. samr-hash is the last resort: because it writes the NT OWF directly it still applies when a password policy rejected every cleartext attempt. Run with -v to see which rungs were skipped and why; the outcome reports the method that actually ran, not auto.

Protocol depth, info levels, and the buffer encryption for each method live in reset methods internals.

Cleartext reset versus set-hash reset

These are two different operations with different inputs and different policy behavior.

You supply the new password as cleartext with --target-new-password. The tool encrypts it into the SAMR password buffer (AES or RC4) and the DC decrypts it, validates it against complexity and length policy, and stores it. The account ends up with a real password you can hand to the user.

passwolf reset --target-domain corp.local --target-user jdoe --dc dc01.corp.local --auth-as-user Administrator --auth-as-password 'Admin1!' --target-new-password 'NewPass1!'

You supply the NT hash (or LM:NT) with --target-new-hash. The DC stores the one-way function directly and never sees cleartext, so complexity and length policy do not apply. This is a full policy bypass. Use it to clone a known hash onto an account or to set a value no cleartext maps to under policy.

passwolf reset --target-domain corp.local --target-user jdoe --dc dc01.corp.local --auth-as-user Administrator --auth-as-password 'Admin1!' --target-new-hash 47c4cc3a368a4a0fa79a7bf059b7adba

The SAMR cleartext and set-hash resets need the SMB transport

The AES, RC4, and set-hash SAMR resets use the SMB session key as the buffer encryption key, so they require the SMB named-pipe transport, not direct TCP. With --transport tcp there is no session key to derive from, and these methods cannot run.

Expiry control

By default a reset sets the account to require a change at next logon (--expire). Pass --no-expire to leave the password marked as not expired, which is the usual choice for service accounts that must keep authenticating with the value you just set.

Set-hash and expiry: Kerberos AES keys

A set-hash reset stores the NT one-way function directly and does not regenerate the account's Kerberos AES keys, which are normally derived from the cleartext. Those keys stay stale or absent until a later cleartext set or change (scripts/10). Combined with --expire the server is specified to write PasswordExpired = 1 ([MS-SAMR] 2.2.6.1) and therefore pwdLastSet = 0 ([MS-SAMR] 3.1.5.6.4), flagging must-change-at-next-logon (spec-derived; not exercised live, since the live set-hash resets ran with PasswordExpired = 0). The set-hash reset itself was confirmed to return success on both Server 2022 and Server 2025. If a service account must keep authenticating with the value you just set, pass --no-expire.

DSRM recovery reset

--dsrm resets the DC-local Directory Services Restore Mode password, the local recovery account on a domain controller, via SamrSetDSRMPassword (opnum 66). It is its own selector and overrides --method. This operation is served only over the SMB named pipe, so it requires --transport smb, and the --target-user value is ignored because the DSRM account is fixed and DC-local rather than a directory object. Supply the new value with --target-new-password.

passwolf reset --target-domain corp.local --target-user dsrm --dc dc01.corp.local --auth-as-user Administrator --auth-as-password 'Admin1!' --target-new-password 'NewDsrm1!' --dsrm

Worked examples

# AUTO reset (kpasswd -> ldaps -> ldap -> SAMR ladder, first that works) as a privileged caller
passwolf reset --target-domain corp.local --target-user jdoe --dc dc01.corp.local --auth-as-user Administrator --auth-as-password 'Admin1!' --target-new-password 'NewPass1!'

# Set the NT hash directly: full policy bypass
passwolf reset --target-domain corp.local --target-user jdoe --dc dc01.corp.local --auth-as-user Administrator --auth-as-password 'Admin1!' --target-new-hash 47c4cc3a368a4a0fa79a7bf059b7adba

# Set both LM and NT halves
passwolf reset --target-domain corp.local --target-user jdoe --dc dc01.corp.local --auth-as-user Administrator --auth-as-password 'Admin1!' --target-new-hash aad3b435b51404eeaad3b435b51404ee:47c4cc3a368a4a0fa79a7bf059b7adba

# Reset a service account without forcing a change at next logon
passwolf reset --target-domain corp.local --target-user svc --dc dc01.corp.local --auth-as-user Administrator --auth-as-password 'Admin1!' --target-new-password 'NewPass1!' --no-expire

# Pin the method to the salted RC4 cleartext reset
passwolf reset --target-domain corp.local --target-user jdoe --dc dc01.corp.local --auth-as-user Administrator --auth-as-password 'Admin1!' --target-new-password 'NewPass1!' --method samr-rc4

# Advanced: send a specific info class over a specific opnum (here UserInternal8 over opnum 58)
passwolf reset --target-domain corp.local --target-user jdoe --dc dc01.corp.local --auth-as-user Administrator --auth-as-password 'Admin1!' --target-new-password 'NewPass1!' --reset-info-class internal8 --reset-opnum 58

# Advanced: set the hash via the all-information block (UserAllInformation) instead of UserInternal1
passwolf reset --target-domain corp.local --target-user jdoe --dc dc01.corp.local --auth-as-user Administrator --auth-as-password 'Admin1!' --target-new-hash <NTHASH> --reset-info-class userall

# Reset over the Kerberos set protocol
passwolf reset --target-domain corp.local --target-user jdoe --dc dc01.corp.local --auth-as-user Administrator --auth-as-password 'Admin1!' --target-new-password 'NewPass1!' --method kpasswd

# Reset via the LDAP unicodePwd replace over LDAPS
passwolf reset --target-domain corp.local --target-user jdoe --dc dc01.corp.local --auth-as-user Administrator --auth-as-password 'Admin1!' --target-new-password 'NewPass1!' --method ldap --ldaps

# Pass-the-hash bind for the privileged caller
passwolf reset --target-domain corp.local --target-user jdoe --dc dc01.corp.local --auth-as-user Administrator --auth-as-hash 47c4cc3a368a4a0fa79a7bf059b7adba --target-new-password 'NewPass1!'

# Bind the privileged caller with Kerberos, using the TGT in KRB5CCNAME (no caller password)
passwolf reset --target-domain corp.local --target-user jdoe --dc dc01.corp.local --auth-as-user Administrator -k --target-new-password 'NewPass1!'

# Reset the DC-local DSRM recovery password
passwolf reset --target-domain corp.local --target-user dsrm --dc dc01.corp.local --auth-as-user Administrator --auth-as-password 'Admin1!' --target-new-password 'NewDsrm1!' --dsrm

# Emit machine-readable JSON instead of the default pretty output
passwolf reset --target-domain corp.local --target-user jdoe --dc dc01.corp.local --auth-as-user Administrator --auth-as-password 'Admin1!' --target-new-password 'NewPass1!' --format json

Output

The default output format is pretty. Use --format text for a plain single-line result or --format json for a machine-readable object. See output formats for the shape of each.

Credentials on the command line

Passwords and hashes passed on the command line may be visible to other local users via the process list. Prefer a host where that exposure is acceptable, or supply only the user with --auth-as-user USER so the bind credential is not echoed in the argument vector when your workflow allows it.

Exit status

Code Meaning
0 Success.
1 A failed or unavailable method.
2 A usage error.

See also